Cyber Security Breaches in the Private Sector: To What Extent Should the Government Be Involved?
It seems like every other day we hear a story about company X suffering from a security breach. The private sector has been a prime target for hackers seeking monetary gain by extorting companies and stealing intellectual property. Over the past few years, government at the local and federal level has attempted to mitigate this threat by creating numerous initiatives to help combat these cyber threats. This has led many observers to ask, “how involved should the government be in the private sector’s cybersecurity efforts?”
The transition from analog to digital has allowed companies to operate at a more efficient level than ever before. However, this shift has brought a new set of challenges to the private sector. Companies housing valuable data on their customers, including payment or other sensitive information, have continued to be the targets of cyber attacks. A recent example of this was when UConn Health fell victim to a spear-phishing campaign that exposed the private medical records of 326,000 patients.
Spear-phishing campaigns such as these can also be used to deliver other types of malware. Just last week, municipal websites were hit with a rash of ransomware attacks that were executed using a newer strain of malware known as Ryuk ransomware.
With this increase in malicious cyber activity, it has become increasingly essential to keep data safe from the threat of hacking. The government and private sector’s recognition of this has led to increased cybersecurity funding over the past two years. According to a report by Dark Reading, investment in the security market reached a total of $4.4 billion in 2016 and $5.3 billion in 2018. Investments in the security market are expected to increase by 8.7 percent in 2019, making the market's value $124 billion.
Numerous states have created new legislation related to cybersecurity. The Security and Exchange Commission (SEC) has also established new guidelines for publicly traded companies relating to cybersecurity disclosures. On the federal level, the government has created the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Defense, dedicated to consolidating the cybersecurity efforts across all departments within the government. One of CISA’s functions is to assist the private sector whenever a cyber-incident occurs.
Despite these efforts, collaboration between the private sector and the government has not gone as smoothly as planned. For one, there are liability implications for a company when it shares private user data with the government. The main concern is whether sharing customer data with the government infringes on users’ privacy.
Another issue that has arisen is that many businesses do not report breaches in real time, if at all. A report done by Audit Analytics shows that companies only disclosed 29 out of 84 data breaches to the SEC in 2017.
Private businesses may have their own reasoning for not wanting to report breaches, primarily relating to negative press and the alarm it causes their customers. Despite any somewhat legitimate reasons the companies may feel they have, this lag time between when a breach happens and its disclosure is critical for mitigating the damage caused by the breach.
Finally, a major issue that has been plaguing both the government and the private sector is a lack of skilled cybersecurity professionals. Any initiative taken will have little impact if there isn't a qualified workforce to implement it.
So how should the government be involved? Some argue that it should introduce more legislation and regulation when it comes to cybersecurity. Some argue that a better approach is for the government to sponsor cyber security training in both academic institutions and companies. A good model to imitate is how Israel and Singapore have invested in cyber-security research and development programs. This approach kills two birds with one stone, by creating skilled cyber-security professionals and at the same time staying at the forefront of cybersecurity research.
The free market generally works better the less government interferes with private companies. In regard to cyber matters and the protection of critical data, however, we must look at all perspectives. This is because our cyber-security is increasingly intertwined with matters related to public safety. Customers regularly share information with companies such as their name, date of birth, address, and social security number with entities ranging from banking institutions to the healthcare networks responsible for their well-being. With for-profit hacking proliferating at levels never before seen, the need exists for a constant examination of what possible remedies exist to keep Americans safe.